Research from security-focused company FireEye reveals that several hundreds of Android and iOS apps are still vulnerable to FREAK attacks. The flaw, which was disclosed in early March, is said to have exposed billions of users to data breach.
Researchers from the company scanned almost 11,000 Android apps from Google Play, each of which had over one million downloads. It was found that 11.2 percent of the apps were still not free of FREAK.
In the case of iOS, 5.5 percent or 771 popular apps were found to be affected out of a total 14,079. However, the majority of the affected apps are found in earlier versions of the OS, particularly before the latter received the iOS 8.2 update. Only seven among the apps remain vulnerable on the current version of iOS.
"A FREAK attack allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data," FireEye said in its report. "For a FREAK attack to succeed, the server has to accept RSA_Export cipher suites and the client has to allow temporary RSA keys in non-export ciphersuites."
One way that an attacker can exploit FREAK is by stealing login credentials and credit card data through a vulnerable shopping app. Other data that faces a potential breach includes financial, medical and personal details.
"Mobile apps have become important front ends and valuable targets for attackers," adds FireEye. "The FREAK attack poses severe threats to the security and privacy of mobile apps. We encourage app developers and website admins to fix this issue as soon as possible."
FREAK is considered to be a unique type of flaw since it poses the need to upgrade a wide variety of products in order to fix the issue. While it is true that Apple and Google have already patched their respective mobile OSes, a number of apps that are compatible with their devices need to be upgraded as well.
FireEye also explained that FREAK is both an app vulnerability and a platform vulnerability. The reason is that both apps from Android and iOS possess vulnerable versions of the OpenSSL library themselves. This means that even after vendors perform a patch on both operating systems, the apps are still vulnerable to FREAK after they connect to servers that can accommodate RSA_EXPORT cipher suites.
Photo: Álvaro Ibáñez I Flickr